Old software makes new electoral systems ripe for hacking

|     Tami Abdollah     |

WASHINGTON (AP) — Pennsylvania’s message was clear: The state was taking a big step to keep its elections from being hacked in 2020. Last April, its top election official told counties they had to update their systems. So far, nearly 60 per cent have taken action, with USD14.15 million of mostly federal funds helping counties buy brand-new electoral systems.

But there’s a problem: Many of these new systems still run on old software that will soon be outdated and more vulnerable to hackers.

An Associated Press analysis has found that like many counties in Pennsylvania, the vast majority of 10,000 election jurisdictions in the United States (US) use Windows 7 or an older operating system to create ballots, programme voting machines, tally votes and report counts.

That’s significant because Windows 7 reaches its “end of life” on Jannuary 14, meaning Microsoft stops providing technical support and producing “patches” to fix software vulnerabilities, which hackers can exploit. In a statement to the AP, Microsoft said last Friday it would offer continued Windows 7 security updates for a fee through 2023.

Critics said the situation is an example of what happens when private companies ultimately determine the security level of election systems with a lack of federal requirements or oversight.

Steve Marcinkus, an investigator with the Office of the City Commissioners, demonstrates the ExpressVote XL voting machine at the Reading Terminal Market in Philadelphia. – AP

Vendors said they have been making consistent improvements in election systems. And many state officials say they are wary of federal involvement in state and local elections.

It’s unclear whether the often hefty expense of security updates would be paid by vendors operating on razor-thin profit margins or cash-strapped jurisdictions.

It’s also uncertain if a version running on Windows 10, which has more security features, can be certified and rolled out in time for primaries.

The AP surveyed all 50 states, the District of Columbia and territories, and found multiple battleground states affected by the end of Windows 7 support, including Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona and North Carolina. Also affected are Michigan, which recently acquired a new system, and Georgia, which will announce its new system soon.

“Is this a bad joke?” said Executive Director of the Coalition for Good Governance Marilyn Marks an election integrity advocacy organisation, upon learning about the Windows 7 issue. Her group sued Georgia to get it to ditch its paperless voting machines and adopt a more secure system. Georgia recently piloted a system running on Windows 7 that was praised by state officials.

If Georgia selects a system that runs on Windows 7, Marks said, her group will go to court to block the purchase. State elections spokeswoman Tess Hammock declined to comment because Georgia hasn’t officially selected a vendor. The election technology industry is dominated by three titans: Omaha, Nebraska-based Election Systems and Software LLC; Denver, Colorado-based Dominion Voting Systems Inc; and Austin, Texas-based Hart InterCivic Inc.

They make up about 92 per cent of election systems used nationwide, according to a 2017 study. All three have worked to win over states newly infused with federal funds and eager for an update.

United States (US) officials determined that Russia interfered in the 2016 presidential election and have warned that Russia, China and other nations are trying to influence the 2020 elections.

Of the three companies, only Dominion’s newer systems aren’t touched by upcoming Windows software issues — though it has election systems acquired from no-longer-existing companies that may run on even older operating systems.

Hart’s system runs on a Windows version that reaches its end of life on October 13, 2020, weeks before the election.